Описание
Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml
Impact
It's possible in a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service.
For example:
Patches
The problem has been patched on versions 12.10.10, 13.4.4 and 13.8RC1.
Workarounds
There's no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.
References
https://jira.xwiki.org/browse/XWIKI-18946
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki
- Email us at XWiki Security mailing-list
Пакеты
org.xwiki.commons:xwiki-commons-xml
>= 2.7, < 12.10.10
12.10.10
org.xwiki.commons:xwiki-commons-xml
>= 13.0.0, < 13.4.4
13.4.4
org.xwiki.commons:xwiki-commons-xml
>= 13.5-rc-1, <= 13.7
13.8-rc-1
Связанные уязвимости
org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.